IN THE CLAIMS 



1 . (currently amended) In a distributed network having a number of server computers and 
associated client devices, a network virus defense system, comprising: 

a network virus/worm sensor operable in a number of modes arranged to detect a 
computer virus or a computer worm in the network such that the bandwid th of the network is 
substantially unaffected in a first mode in that data packets are not removed from or added to 
network traffic, but are copied, and wherein when the virus sensor detects t he computer virus, the 
virus sensor switches to a second mode, wherein the data packets are not co pied and wherein a 
subset of data packets determined to be infected or suspected of being infected are not return ed 
to the network ; and 

a network virus sensor self registration module coupled to the network virus/worm sensor 
arranged to automatically self register the associated network virus/worm sensor 

a controller storing a rules engine used to store and source a plurality of detection ru les 
for detecting computer viruses and worms and using statistical results; 

a server for virus cleaning agents from known viruses and unknown viruses subsequently 
analyzed; and 

an anti- virus agent creation module arranged to create an a nti-virus agent or create a 
detection module, an infection module and a pavload . 

2. (original) A system as recited in claim 1 , wherein during an initialization 
phase of the network virus/worm sensor, the network virus/worm self registration module 
collects selected network environmental information and network configuration information. 
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3. (currently amended) A system as recited in claim 2, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

4. (original) A system s recited in claim 3, wherein the network configuration 
information includes self configuration information related to an appropriate IP address for the 
network virus/worm sensor. 

5. (original) A system as recited in claim 4, wherein the network configuration 
information includes locations of all relevant server computers. 

6. (original) A system as recited in claim 5, wherein selected ones of the 
relevant server computers are identified as controllers. 

7. (original) A system as recited in claim 6, wherein each of the identified 
controllers includes a rules engine used to store and source a plurality of detection rules for 
detecting computer viruses and worms and an outbreak prevention policy (OPP) distribution and 
execution engine that provides a set of anti-virus policies, protocols, and procedures suitable for 
use by a system administrator for both preventing viral outbreaks and repairing any subsequent 
damage caused by a viral outbreak. 

8. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the rules engines associated with each of the identified controllers are updated 
with a set of detection rules for detecting computer viruses and worms. 
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9. (original) A system as recited in claim 7, wherein during the initialization 
phase, each of the outbreak prevention policy distribution and execution engines associated with 
each of the identified controllers are updated with a set of anti-virus policies, a set of anti-virus 
protocols, and a set of anti-virus procedures. 

10. (currently amended) A system as recited in claim 1 , wherein in a first mode the 
bandwidth of the network is substantially unaffected by the network virus/monitor sensorabe 
network virus/monitor sensor not removing or adding net w ork traffic but copying data packets, 
and wherein when the network virus/worm sensor detects a computer virus or a computer worm, 
the virus/worm sensor switches to a second mode such that only those data packets infected by 
the computer virus are not returned to the network. 

1 1 . (currently amended) In a distributed network having a number of server 
computers and associated client devices and a network virus/monitor sensor operable in a 
number of modes , a method of self registering a network virus defense system comprising i 

that includos a network virus/worm sensor operable in a numb e r of modes arranged t o 
detect detecting a computer virus or a computer worm in the network such that bandwidth of the 
network is substantially unaffected in a fir s t mode in that data packets are not removed from or 
added to network traffic, but are copied, a nd wherein when the virus sensor detects the computer 
virus, the vims sensor switches to a second mode, where in t h e data pa ckets are not copied and 
wherein a subset of data packets determin e d to be infected or suspected of being infected are not 
returned to the network , comprising : 

automatically self registering the associated n e twork virus/worm sensor by a network 
virus sensor self registration module coupled to the network viruo/worm sensor; 
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storing a rules engine used to store and source a plurality of detection rules from 
detecting computer viruses and worms and using statistical results 

providing virus cleaning agents from known viruses and unknown viruses subsequently 
analyzed; and 

creating a detection module that detects whether a client device is infected with a virus 
and triggers the introduction of an anti-virus infection module so that the virus in the client 
device is overwritten and an anti-virus agent pavload created based on features of the selected 
computer virus and performs as a cleaning/repairing pav load capable of cleaning and repairing 
damage done to the client device. 

12. (currently amended) A method as recited in claim 1 1 , further comprising: 
during an initialization phase of the network virus/worm sensor , collecting selected 

network environmental information and network configuration information by the network 
virus/worm self registration module. 

13. (currently amended) A method as recited in claim 1 2, wherein when the 
distributed network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the IP-based type 
network. 

14. (original) A method as recited in claim 1 3, wherein the network 
configuration information includes self configuration information related to an appropriate IP 
address for the network virus/worm sensor. 
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15. (original) A method as recited in claim 14, wherein the network 
configuration information includes locations of all relevant server computers. 



16. (original) A method as recited in claim 1 5, wherein selected ones of the 
relevant server computers are identified as controllers. 

1 7. (currently amended) A method as recited in claim 16 6, wherein each of the 
identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

1 8. (original) A method as recited in claim 1 7, further comprising: 
during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 

1 9. (original) A method as recited in claim 1 7, further comprising: 
during the initialization phase, 

updating each of the outbreak prevention policy distribution and execution engines 
associated with each of the identified controllers with a set of anti-virus policies, a set of anti- 
virus protocols, and a set of anti-virus procedures. 



11 



20. (currently amended) A method as recited in claim 10 ±, wherein in a first mode 
the bandwidth of the network is substantially unaffected by the network virus/monitor sensor , the 
network virus/monitor sensor not removing or adding network traffic but copying data packets, 
and wherein when the network virus/worm sensor detects a computer virus or a computer worm, 
the virus/worm sensor switches to a second mode such that only those data packets infected by 
the computer virus are not returned to the network. 

2 1 . (original) In a distributed network having a number of server computers and 
associated client devices, computer program product for self registering a network virus defense 
system, that includes a network virus/worm sensor operable in a number of modes arranged to 
detect a computer virus or a computer worm in the network, comprising: 

computer code for automatically self registering the associated network virus/worm 
sensor by a network virus sensor self registration module coupled to the network virus/worm 
sensor; and 

computer readable medium for storing the computer code. 

22. (original) Computer program product as recited in claim 21, further 
comprising: 

computer code for collecting selected network environmental information and network 
configuration information by the network virus/worm self registration module during an 
initialization phase. 

23. (original) Computer program product as recited in claim 22, wherein when 
the network is an IP based type network, the selected network environmental information 
includes an IP address for all of the relevant client devices included in the network. 
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24. (original) Computer program product as recited in claim 23, wherein the 
network configuration information includes self configuration information related to an 
appropriate IP address for the network virus/worm sensor. 

25. (original) Computer program product as recited in claim 24, wherein the 
network configuration information includes locations of all relevant server computers. 

26. (original) Computer program product as recited in claim 25, wherein selected 
ones of the relevant server computers are identified as controllers. 

27. (original) Computer program product as recited in claim 26, wherein each of 
the identified controllers includes a rules engine used to store and source a plurality of detection 
rules for detecting computer viruses and worms and an outbreak prevention policy (OPP) 
distribution and execution engine that provides a set of anti-virus policies, protocols, and 
procedures suitable for use by a system administrator for both preventing viral outbreaks and 
repairing any subsequent damage caused by a viral outbreak. 

28. (original) Computer program product as recited in claim 27, further 

comprising: 

during the initialization phase, 

updating each of the rules engines associated with each of the identified controllers with a 
set of detection rules for detecting computer viruses and worms. 
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29. (original) Computer program product as recited in claim 27, further 
comprising: 

computer code for updating each of the outbreak prevention policy distribution and 
execution engines associated with each of the identified controllers with a set of anti-virus 
policies, a set of anti-virus protocols, and a set of anti-virus procedures during the initialization 
phase. 

30. (currently amended) Computer program product as recited in claim 21 , wherein 
in a first mode the bandwidth of the network is substantially unaffected by the network 
virus/monitor sensor , the network virus/monitor sensor not removing or adding network traffic 
but copying data packets, and wherein when the network virus/worm sensor detects a computer 
virus or a computer worm, the virus/worm sensor switches to a second mode such that only those 
data packets infected by the computer virus are not returned to the network. 
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